[wp-trac] [WordPress Trac] #61501: KSES Allow more custom data attributes to align with browsers

WordPress Trac noreply at wordpress.org
Thu Sep 18 17:46:11 UTC 2025 

#61501: KSES Allow more custom data attributes to align with browsers
--------------------------------------+---------------------
 Reporter:  jonsurrell                |       Owner:  (none)
     Type:  enhancement               |      Status:  new
 Priority:  normal                    |   Milestone:  6.9
Component:  Formatting                |     Version:  6.6
 Severity:  normal                    |  Resolution:
 Keywords:  has-patch has-unit-tests  |     Focuses:
--------------------------------------+---------------------

Comment (by dmsnell):

 I did start to look for ways to audit existing usage and it’s hard 😅

 Part of this is still me not fully understanding the threat models about
 which we are concerned. There’s a kind of paradox here: any custom data
 attributes which are currently used are already allowed by Core, so
 auditing existing usage may not reveal much.

 At some point I remember discussion about trying to resolve sensitivity
 issues in the code where they exist. For example, the Interactivity API
 should be careful to avoid introducing exploits based on its usage of data
 attributes. Is it reasonable to apply that logic here and open up the data
 attributes, given that the kind of universal understanding of them is that
 they are neutral attributes with no predefined meaning or behavior?

 Maybe we can draw a parallel to post meta. There could be dangerous
 interactions with plugins that read post meta, but it’s the responsibility
 of the plugin generating the content to be safe with it.

 ---

 After having reviewed the linked PR I realize this is different than my
 memory has it. Why don’t I separate it into one patch which adds the
 `dataset` name transformation and another which incorporates that into
 KSES code?

 This reminds of #63804 and I wonder if we have room for a `js-compat.php`
 module where we could add functions whose purpose is to harmonize
 understanding of JavaScript from PHP.

 {{{#!php
 <?php
 /**
  * Functions providing PHP-based understanding of JavaScript semantics.
  *
  * @group js-interop
  */

 function wp_js_dataset_name( string $html_attribute_name ): ?string {
         …
 }

 function wp_js_trim( string $text ): string {
         …
 }

 function wp_js_strlen( string $text ): int {
         …
 }
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/61501#comment:12>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list